‘Retaliation’ for Russia's SolarWinds Spying Isn't the Answer

Since even before he took office, President Joe Biden has promised a response to the massive campaign of Russian hacking that came to light just after he was elected. The rhetoric has only grown more heated since, with reports that some sort of reprisal may come in the next three weeks. That's just long enough, cyber policy experts hope, for the Biden administration to rethink its approach and avoid a punitive action against Moscow that, while perhaps politically expedient, would accomplish little and could even detract from efforts to curb a far more dangerous category of Russian hacking.
On Sunday evening, The New York Times published a report stating that the White House plans to retaliate against Vladimir Putin's regime for the hacking campaign known as the SolarWinds hack, in which likely Russian hackers compromised IT management software to access as many as 18,000 networks globally. The list of confirmed victims includes nine US federal agencies, including the Pentagon, the Justice Department, and NASA. The Times reported that the Biden administration plans to respond with "a series of clandestine actions across Russian networks" intended to signal that Russia's hacking campaign crossed a line—"clarifying what the United States believes are in bounds and out of bounds, and what we are prepared to do in response," as national security adviser Jake Sullivan told the paper.But before the US mounts a saber-rattling counterattack, it should pin down exactly what line Russia crossed . Cyber policy wonks are quick to note that any rule that could justify SolarWinds retaliation is one that the US also violates with its own cyberespionage. As politically tempting as exacting punishment may be, it would not only be hypocritical but also would muddle any real attempt to control the Kremlin's other, far more reckless acts of hacking. And whatever precedent the Biden administration sets would likely have implications, too, for its response to a more recent, still-unfolding mass hacking event in which Chinese hackers used Microsoft Exchange vulnerabilities to break into tens of thousands of US networks .
"There are plenty of things to respond to in terms of Russia's malignant behavior, both inside and outside of cyber. This is not one of them," says Dmitri Alperovitch, cofounder of security firm CrowdStrike and now the executive chair of Silverado Policy Accelerator. Alperovitch points out that there's still no evidence that Russia's hacking in this case went beyond stealthy intelligence gathering of the sort the US performs routinely around the world. Even Russia's use of large-scale hacking and supply chain attacks are techniques the US has carried out in the past, through the CIA's secret control of Swiss encryption firm Crypto AG, for instance, or the NSA's backdoor implants in Cisco hardware exposed in the Snowden documents.The SolarWinds operation stands in stark contrast to another class of far more clearly norm-breaking Russian hacking activities, Alperovitch argues. Those more reckless incidents include operations by Russia's GRU military intelligence agency that stole and leaked emails from the Democratic National Committee and Clinton Campaign in 2016, unleashed the NotPetya worm that spread around the world and cost $10 billion in damages , and disrupted the 2018 Winter Olympics by destroying the games' IT backend . Russia's Olympics hack in particular received practically no response from the international community until the US indicted six of the GRU hackers allegedly involved more than two and a half years later .
By contrast the SolarWinds hackers were far from reckless, going so far as to add a kill switch to their code designed to remove their malware from victim networks they ultimately decided not to hit, Alperovitch points out. "It was very targeted, very responsible," he says. "So not only is it not appropriate to whack them over the head for this, but it's actually counterproductive. Because guess what? You're going to piss them off, and the next time they're going to say, screw you, we were responsible last time and we got hammered, so this time we won't be."